360 matches found
CVE-2026-5222
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...
CVE-2026-5223
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...
CVE-2026-5223
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...
CVE-2026-5223
CVE-2026-5223 affects Cargo: symlinks inside crate tarballs from third-party registries can cause a malicious crate to override the cached source of another crate from the same registry. The issue is due to how symlinks are handled, enabling modification of source files after download. Impact is ...
CVE-2026-5223 Crates in third party registries can override the cached source of other crates
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...
CVE-2026-5223 Crates in third party registries can override the cached source of other crates
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...
CVE-2026-5223
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io a...
CVE-2026-5222 Cargo can be coerced to share credentials between registries
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...
CVE-2026-5222
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...
CVE-2026-5222 Cargo can be coerced to share credentials between registries
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...
CVE-2026-5222
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the...
PT-2026-43024
Name of the Vulnerable Software and Affected Versions Cargo versions 1.68 through 1.95 Description Cargo incorrectly normalized URLs of third-party registries using the sparse index protocol. In scenarios where a hosting provider allows multiple registries to be hosted with arbitrary names within...
PT-2026-43025
Name of the Vulnerable Software and Affected Versions Cargo versions prior to 1.96.0 Description Cargo incorrectly handled symbolic links symlinks—which are files that point to another file or directory—inside crate tarballs downloaded from third-party registries. This allows a malicious crate to...
Cargo 安全漏洞
Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in Cargo versions 1.68 through 1.96, which stems from a misnormalization of third-party registry URLs that use the sparse indexing protocol, where an attacker who is able to publish crat...
Docker Model Runner 安全漏洞
Docker Model Runner is an open-source Docker model runner developed by Docker. There is a security vulnerability in Docker Model Runner MLX. This vulnerability stems from the unconditional import and execution of any Python file in the model directory. It may allow malicious models to be pulled...
SUSE CVE-2024-4032
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the isprivate and isglobal properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and...
CLSA-2026-1778932682 python3: Fix of CVE-2024-4032
CVE-2024-4032: update ipaddress module to reflect latest IANA Special-Purpose Address Registries...
CVE-2026-28909
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3...
CVE-2026-28909
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3...
CVE-2026-28909
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3...